On Feb 26, 2006, at 1:39 PM, Tom Diehl wrote:
>
> The documentation I found for iptables says the default for udp
> connection tracking is 30 seconds. It is however adjustable by a
> kernel
> parameter at kernel compile time.
>
> At first I thought this might be caused by the linksys (The linksys
> is a
> new addition to my toys.) but I mv'd the routing back to the original
> machine and I see the same thing. I am not sure what to make of
> this nor
> am I sure if I should worry about it or not. The test queries I
> have made
> all respond and all of the zones have at least 2 nameservers on them.
one thing I missed in my previous email. The rule
> src dest service action
> ! internal net dns server tcp/udp 53 accept
would not match these packets because the rule matches destination
port 53 whereas the packets you see log entries for have source port
53. These packets should be matched by the automatic rule for
ESTABLISHED packets. This rule is added at the top of the policy
automatically if corresponding checkbox is checked in the firewall
settings dialog (this is a default configuration). Some
administrators however turn this automatic rule off and add
equivalent one manually. Did you do this ? If you added it manually,
that would be the rule to check limiting options for.
One thing you could do to check if you are dropping some dns queries
would be to run "dig" or "host" command for some dns record your name
server is authoritative for from an external machine in a tight loop
many times, printing something when the query times out. The idea is
to see if you are losing some small percentage of queries and then
try to match this data with firewall log entries. Knowing the address
of the machine you run the test from, you can easily find
corresponding log entries if any. Another useful data point from this
test would be a time it takes for each query. The idea is that even
if the firewall drops dns response once in a while, the client will
resend the query and eventually get the response. You either need to
check how long does it take for the client to get the response or set
timeout to some very small value, 1 or 2 sec, using "+time=T"
parameter to dig or "-W" option for host command.
The idea of the test is to establish whether the problem is user
affecting, which will define its severity for you. I suspect you do
lose small percentage of queries because of this but this may not be
very severe because resolvers can recover from it by retrying after
certain time out.
--vk

On Feb 26, 2006, at 12:41 PM, Christof Kallfass wrote:
> Hello Vadim,
>
> thank you for your mail.
>
>> did you compile the program from source yourself ? Getting support
>> for snmp is sometimes little tricky. See a note in the installation
>> instructions online
> http://www.fwbuilder.org/archives/cat_installation.html#000153
>
> No, I don't compiled it. I just downloaded the RPMs for Suse10 from
> http://www.suse-linux.ro/rpms/ .
> On my system the libelf package was missing. But after installing it,
> snmp does not work anyway.
>
> May you please give me an info, whether the Suse RPMs support snmp.
>
looks like these RPMs do not support snmp. The support for it is =20
added at a time of compilation and libelf library must be present =20
then for it to work. You can try to compile fwbuilder from source =20
yourself, it is not very difficult.
--vk
> Thanks a lot.
>
> Best regards
>
> Christof
>
>
> -----Urspr=FCngliche Nachricht-----
> Von: fwbuilder-discussion-admin@...
> [mailto:fwbuilder-discussion-admin@...] Im =20
> Auftrag von
> Vadim Kurland ?
> Gesendet: Samstag, 25. Februar 2006 23:50
> An: christof.kallfass@...
> Cc: fwbuilder-discussion@...
> Betreff: Re: [Fwbuilder-discussion] Using SNMP to get interface
> configuration
>
>
>
> On Feb 25, 2006, at 2:19 PM, Christof Kallfass wrote:
>
>> Hello all,
>>
>> I'm using fwbuilder 2.0.10-1 on Open Suse Linux 10. When I create a
>> new
>> firewall object it is not possible to get the interfaces configured
>> using snmp (the section 'Use snmp ...' is grayed out). The snmpd is
>> started and net-snmp is installed. May you please give me some =20
>> advice,
>> where I could take a look to get this fixed.
>>
>
> did you compile the program from source yourself ? Getting support
> for snmp is sometimes little tricky. See a note in the installation
> instructions online
> http://www.fwbuilder.org/archives/cat_installation.html#000153
>
> I am actually not quite sure if my SuSE RPMs came out with support
> for snmp, I need to check on that.
>
> --vk
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting
> language that extends applications into web and mobile media. =20
> Attend the
> live webcast and join the prime developer group breaking into this new
> coding territory!
> http://sel.as-us.falkag.net/sel?=20
> cmd=3Dlnk&kid=3D110944&bid=3D241720&dat=3D121642
> _______________________________________________
> Fwbuilder-discussion mailing list
> Fwbuilder-discussion@...
> https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion
>
>
>
> !DSPAM:44021274300641754912678!
>

On Sat, 25 Feb 2006, [UTF-8] Vadim Kurland =E2^\^H wrote:
>=20
> On Feb 25, 2006, at 10:57 PM, Tom Diehl wrote:
>=20
> > Hi all,
> >
> > Would someone please have a look at the following logs and see if =20
> > you can
> > help me understand what is going on here. I have a linksys wrt54G =20
> > running
> > openWRT White Russian. The external interface (vlan0) has the =20
> > public ip
> > addresses on it and the internal interface (vlan1) has =20
> > 192.168.0.0/24 addresses
> > on it.
>=20
> the log entries indicate that the packet entered firewall through =20
> vlan0 and was supposed to exit through vlan1. Source address of the =20
> packet is that of your name server - 192.168.0.2 This seems to point =20
> at vlan0 as internal and vlan1 as external interface, but you say it =20
> is the other way around. Which one is it ?
You are correct. I got it backwards. vlan0 is internal vlan1 is external.
Sorry.
>=20
> Is this name server authoritative for some zone ? It looks like many =20
Yes, it is authoritative for about 200 zones.
> external machines query it. Do queries made from outside to your name =20
> server work ?
Yes, I was watching the dns query logs and I can see it answering the reque=
sts.
I also ran some queries from dnsstuff.com and the longest response was abou=
t
400 ms.=20
> I'll assume we are talking about legitimate dns queries coming from =20
> the outside to this name server and most of the queries work fine but =20
> some dont. In this case one possible reason might be that sometimes =20
Yes they are legit. I have not actually been able to conform if the server
is actually loosing legit queries or not. Based on the log entries I think
it is reasonable to assume that some queries are lost but...
> the name server takes longer to respond and the firewall times out =20
> its internal state entry for the UDP session. The UDP protocol itself =20
> is stateless but the firewall emulates state by remembering =20
> information about the original UDP query packet so that it can match =20
> and permit response when it comes. Since there is no reliable way to =20
> determine when the session ends, the firewall remembers this state =20
> information for a certain period of time and just purges it after =20
> this period of time expires if the answer packet does not come. If =20
> name server becomes slow for some reason, it may answer after the =20
> firewall has timed out and you'll see this entry in the log. I do not =20
> remember what is the default timeout for the UDP state in iptables =20
> but you can look it up.
The documentation I found for iptables says the default for udp
connection tracking is 30 seconds. It is however adjustable by a kernel
parameter at kernel compile time.
At first I thought this might be caused by the linksys (The linksys is a
new addition to my toys.) but I mv'd the routing back to the original=20
machine and I see the same thing. I am not sure what to make of this nor
am I sure if I should worry about it or not. The test queries I have made
all respond and all of the zones have at least 2 nameservers on them.
Suggestions??
Regards,
Tom Diehl=09=09tdiehl@...=09=09Spamtrap address mtd123@...=
m

Hello Vadim,
thank you for your mail.
> did you compile the program from source yourself ? Getting support =20
> for snmp is sometimes little tricky. See a note in the installation =20
> instructions online
http://www.fwbuilder.org/archives/cat_installation.html#000153
No, I don't compiled it. I just downloaded the RPMs for Suse10 from
http://www.suse-linux.ro/rpms/ .
On my system the libelf package was missing. But after installing it,
snmp does not work anyway.
May you please give me an info, whether the Suse RPMs support snmp.
Thanks a lot.
Best regards
Christof
-----Urspr=FCngliche Nachricht-----
Von: fwbuilder-discussion-admin@...
[mailto:fwbuilder-discussion-admin@...] Im Auftrag von
Vadim Kurland ?
Gesendet: Samstag, 25. Februar 2006 23:50
An: christof.kallfass@...
Cc: fwbuilder-discussion@...
Betreff: Re: [Fwbuilder-discussion] Using SNMP to get interface
configuration
On Feb 25, 2006, at 2:19 PM, Christof Kallfass wrote:
> Hello all,
>
> I'm using fwbuilder 2.0.10-1 on Open Suse Linux 10. When I create a
> new
> firewall object it is not possible to get the interfaces configured
> using snmp (the section 'Use snmp ...' is grayed out). The snmpd is
> started and net-snmp is installed. May you please give me some advice,
> where I could take a look to get this fixed.
>
did you compile the program from source yourself ? Getting support =20
for snmp is sometimes little tricky. See a note in the installation =20
instructions online
http://www.fwbuilder.org/archives/cat_installation.html#000153
I am actually not quite sure if my SuSE RPMs came out with support =20
for snmp, I need to check on that.
--vk
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting
language that extends applications into web and mobile media. Attend the
live webcast and join the prime developer group breaking into this new
coding territory!
http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D110944&bid=3D241720&dat=3D=
121642
_______________________________________________
Fwbuilder-discussion mailing list
Fwbuilder-discussion@...
https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion

The more generic issue is MAC address cloning which comes in handy from time
to time.
tedc
-----Original Message-----
From: fwbuilder-discussion-admin@...
[mailto:fwbuilder-discussion-admin@...] On Behalf Of Doug
Lytle
Sent: Sunday, February 26, 2006 9:24 AM
To: Fwbuilder List
Subject: Re: [Fwbuilder-discussion] MAC address per virtual interface?
Lupe Christoph wrote:
> That's very strange. Can you please send the output of ifconfig -a when
> you have them configured? Obfuscated, of course.
>
> Also, try pinging these addresses when they are not configured (or the
> virtual interfaces are down). Maybe something is on your net you are not
> aware of.
>
I would only be able to do this on a Saturday (Not currently onsite) and
need to schedule the down time. I'll see if I can do it on this
upcoming Saturday.
Thanks for your input.
Doug
--
Ben Franklin quote:
"Those who would give up Essential Liberty to purchase a little Temporary
Safety, deserve neither Liberty nor Safety."
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Fwbuilder-discussion mailing list
Fwbuilder-discussion@...
https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion

Lupe Christoph wrote:
> That's very strange. Can you please send the output of ifconfig -a when
> you have them configured? Obfuscated, of course.
>
> Also, try pinging these addresses when they are not configured (or the
> virtual interfaces are down). Maybe something is on your net you are not
> aware of.
>
I would only be able to do this on a Saturday (Not currently onsite) and
need to schedule the down time. I'll see if I can do it on this
upcoming Saturday.
Thanks for your input.
Doug
--
Ben Franklin quote:
"Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety."

On Sunday, 2006-02-26 at 10:41:49 -0500, Doug Lytle wrote:
> The addresses that I have listed so far that won't work:
> .68
> .72
> .75
> .93
That's very strange. Can you please send the output of ifconfig -a when
you have them configured? Obfuscated, of course.
Also, try pinging these addresses when they are not configured (or the
virtual interfaces are down). Maybe something is on your net you are not
aware of.
Lupe Christoph
--
| You know we're sitting on four million pounds of fuel, one nuclear |
| weapon and a thing that has 270,000 moving parts built by the lowest |
| bidder. Makes you feel good, doesn't it? |
| Rockhound in "Armageddon", 1998, about the Space Shuttle |

Vadim Kurland ✈ wrote:
>
> could you elaborate on this ? Do you mean ping sent from one of the
> internal machines works but attempts to connect to the corresponding
> address from outside fail ?
>
Correct.
> the only situation I can think of where number of addresses for a
> single MAC address would matter is when the ISP artificially limits it
> (and even then I do not know which network equipment allows to do this
> and how). If that is the case and if they gave you 30 address, I would
> guess they should be able to adjust their limiting accordingly. Have
> you tried to ask them ?
>
Our network admin is in contact with them. He said they are not quite
sure whats going on and said it might be because of the MAC address 'issue'
> Also, do these 30 addresses correctly form a single /27 subnet (with
> network and broadcast addresses added to make it 32 ) ? There must be
> correct routing set up on the ISP side to route all 30 addresses back
> to you and if there is a mistake in address allocation, some addresses
> may not be routed as expected. This is just a guess of course but you
> say you have found 4 addresses that do not work and that makes me
> wonder...
>
Correct as well:
add_addr xx.xx.xx.80 32 eth0 (Firewall)
add_addr xx.xx.xx.92 32 eth0
add_addr xx.xx.xx.70 32 eth0
add_addr xx.xx.xx.71 32 eth0
add_addr xx.xx.xx.90 32 eth0
add_addr xx.xx.xx.91 32 eth0
add_addr xx.xx.xx.76 32 eth0
add_addr xx.xx.xx.93 32 eth0
add_addr xx.xx.xx.67 32 eth0
--
Ben Franklin quote:
"Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety."

On Feb 26, 2006, at 5:13 AM, Doug Lytle wrote:
>
> Lupe Christoph wrote:
>> On Friday, 2006-02-24 at 16:24:44 -0500, Doug Lytle wrote:
>> What are you trying to accomplish, anyway? Most people requesting
>> something like this are confused about the nature of MAC addresses.
>>
>
> We've been given a block of 30 addresses by our ISP, we've used 8
> of them so far. All of them are attached to ETH0. Then, they are
> natted to their proper machines on the DMZ. Seems that some of the
> addresses will function (PING) from the local network, but from a
> real world address they just time out. We have to keep changing
> addresses until we find one that works.
could you elaborate on this ? Do you mean ping sent from one of the
internal machines works but attempts to connect to the corresponding
address from outside fail ?
the only situation I can think of where number of addresses for a
single MAC address would matter is when the ISP artificially limits
it (and even then I do not know which network equipment allows to do
this and how). If that is the case and if they gave you 30 address, I
would guess they should be able to adjust their limiting accordingly.
Have you tried to ask them ?
Also, do these 30 addresses correctly form a single /27 subnet (with
network and broadcast addresses added to make it 32 ) ? There must be
correct routing set up on the ISP side to route all 30 addresses back
to you and if there is a mistake in address allocation, some
addresses may not be routed as expected. This is just a guess of
course but you say you have found 4 addresses that do not work and
that makes me wonder...
--vk
> We've noted 4 so far that will not function. The ISP is saying
> this is a MAC related issue, having so many addresses with the same
> MAC address. But, I don't know enough to tell them it's their
> issue. Isn't this how it's normally done?
>
> Doug
>
>
> --
> Ben Franklin quote:
>
> "Those who would give up Essential Liberty to purchase a little
> Temporary Safety, deserve neither Liberty nor Safety."
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting
> language
> that extends applications into web and mobile media. Attend the
> live webcast
> and join the prime developer group breaking into this new coding
> territory!
> http://sel.as-us.falkag.net/sel?
> cmd=lnk&kid=110944&bid=241720&dat=121642
> _______________________________________________
> Fwbuilder-discussion mailing list
> Fwbuilder-discussion@...
> https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion
>
>
> !DSPAM:4401a9f1327221435866852!
>

Lupe Christoph wrote:
> On Friday, 2006-02-24 at 16:24:44 -0500, Doug Lytle wrote:
>
> What are you trying to accomplish, anyway? Most people requesting
> something like this are confused about the nature of MAC addresses.
>
We've been given a block of 30 addresses by our ISP, we've used 8 of
them so far. All of them are attached to ETH0. Then, they are natted
to their proper machines on the DMZ. Seems that some of the addresses
will function (PING) from the local network, but from a real world
address they just time out. We have to keep changing addresses until we
find one that works. We've noted 4 so far that will not function. The
ISP is saying this is a MAC related issue, having so many addresses with
the same MAC address. But, I don't know enough to tell them it's their
issue. Isn't this how it's normally done?
Doug
--
Ben Franklin quote:
"Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety."

On Friday, 2006-02-24 at 16:24:44 -0500, Doug Lytle wrote:
> Is it possible to have a MAC address per virtual interface?
No. That's because they are *virtual*. Virtual interfaces are just
additional addresses assigned to a real interafces (along with some more
information like the netmask and the broadcast address). An ethernet
interface is addressed by the MAC address. My time of looking at chip
specs is long gone, but I don't think you can assign more than one
unicast address to an ethernet chip.
> We have up to FWB8 and some times address won't function. According to
> our ISP, it's because we have so many interfaces with only 1 MAC.
What are you trying to accomplish, anyway? Most people requesting
something like this are confused about the nature of MAC addresses.
HTH,
Lupe Christoph
--
| You know we're sitting on four million pounds of fuel, one nuclear |
| weapon and a thing that has 270,000 moving parts built by the lowest |
| bidder. Makes you feel good, doesn't it? |
| Rockhound in "Armageddon", 1998, about the Space Shuttle |